Blesta Install Compromised

[serverni]

Hi,

 

I have had Blesta installed and running for around 6 months now.

 

I am very happy with it, however just today my install got hacked (SPAM).

 

Here is a sample:

 

Spam email message sample:

Return-path: <fay_skinner@serverni.com>
Received: from serverni by poseidon.thewebhostserver.com with local (Exim 4.85)
(envelope-from <fay_skinner@serverni.com>)
id 1ZWgdS-003brw-7c
for laynaah-92@hotmail.fr; Tue, 01 Sep 2015 09:09:43 +0100
To: laynaah-92@hotmail.fr
Subject: RE: The Famous Teen Movies
X-PHP-Script: serverni.com/support/vendors/ckeditor/skins/v2/footer.php for 97.74.24.108
From: "Fay Skinner" <fay_skinner@serverni.com>
Reply-To:"Fay Skinner" <fay_skinner@serverni.com>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <E1ZWgdS-003brw-7c@poseidon.thewebhostserver.com>
Date: Tue, 01 Sep 2015 09:09:42 +0100
X-OutGoing-Spam-Status: No, score=1.7


<div>
<h2>The Famous Teen Movies - <a href="[sNIPPED MALICIOUS LINK]" to see it</a></h2>
</div>

 

I have suspended my own domain to prevent future spam, but I am wondering how to take action to prevent this?

 

I regularly change passwords and I am running the very latest version of Blesta.

 

Thanks,

 

Justin.

[Michael]

Hello Justin,

Have you got anything on the same domain, have you got any other accounts on the server? If you have someone could have done what happened to a client of mine, their client's wordpress got hacked all all their accounts was compromised. It's not blesta itself so you have to work out if you have a weak password, insecure software on the same account / server or the control panel on the server.

Not much we can do you can either do it yourself or hire a system admin, I recommend bobcares.com.

[serverni]

Hi,

 

Thanks for the quick reply.

 

At least I now know the Blesta install is sound and to look server wide for weak scripts.

 

Cheers,

 

Justin.

[Michael]

Hi,

 

Thanks for the quick reply.

 

At least I now know the Blesta install is sound and to look server wide for weak scripts.

 

Cheers,

 

Justin.

 

Wordpress are the main suspects, Joomla / Whmcs are the other options if you have them on the server make sure they are updated. I would if I was you, backup the blesta.php and then remove the Blesta files, and then re-upload the Blesta full zip.

So you know you don't have anything in the Blesta folders, then look over your whole server even if you need to run malware detect. That will also tell you the files where the malware was uploaded.

[a.daniello]

It's a CKEditor vulnerability. See script sender ("X-PHP-Script" header).

 

Check version for updates and security fix.

 

Usually, with WYSIWYG online editor, there's some security issue with upload script.

 

I think 

[Blesta Addons]

the file ckeditor/skins/v2/footer.php is not a part of cheditor package .

you shold check server log how does it uploaded to that place .

if you have shared server with other account , that has sense why the file are thier , if you are running cloudlinux + cagefs , so is not the cause of other sites in the server , is a the cause the main site , are you host any other script in the main domain with blesa script ?

[Michael]

the file ckeditor/skins/v2/footer.php is not a part of cheditor package .

 

haha php in a js vendor folder, I just checked mine and it's just js files.

[Paul]

As naja mentioned, /support/vendors/ckeditor/skins/v2/footer.php in not part of Blesta. You should remove footer.php immediately, and investigate how it was uploaded to that directory. If you have any other software running on the server like Wordpress, make sure they are up to date. Wordpress is responsible for a lot of exploited websites.

 

We highly recommend running Blesta on its own server without any other applications, keeping the server up to date, and locking it down with a firewall.

[domaingood]

We always keep our billing one server and add firewall and only keep open 80&443 thats all.also add some .htacsss so anyone cannot login via remote.

hope it will also help to keep secure.

PS: you need your server hands-on mode to work.no remore.

[serge]

I do not understand, you receive a spam (email) and you presume your blesta install is compromised, but what is the relation?

[Max]

As naja mentioned, /support/vendors/ckeditor/skins/v2/footer.php in not part of Blesta. You should remove footer.php immediately, and investigate how it was uploaded to that directory.

 

Probably too late now, but next time make sure to do a "stat /path/to/file" before you delete the file.

It shows the file modification time to the second. Looking up that exact time in your webserver access log can sometimes help finding a compromised script, if that was used to install that file.

[timnboys]

Probably too late now, but next time make sure to do a "stat /path/to/file" before you delete the file.

It shows the file modification time to the second. Looking up that exact time in your webserver access log can sometimes help finding a compromised script, if that was used to install that file.

Or if you are running cpanel try rkhunter or configserver: http://configserver.com/cp/cxs.html

its what I used to use when I used cpanel.